Victor Duchovni <[EMAIL PROTECTED]> writes: >Wouldn't the old root also (until it actually expires) verify any >certificates signed by the new root? If so, why does a server need to send >the new root?
Because the client may not have the new root yet, and when they try and verify using the expired root the verification will fail. (There's a lot of potential further complications in there that I'm going to spare people the exposure to, but that's the basic idea). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
